Impact
The restricted
pod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the upstream restricted
policy provided in Kubernetes, in which Rancher's PSP has runAsUser
set to runAsAny
, while upstream has runAsUser
set to MustRunAsNonRoot
. This allows containers to run as any user, including a privileged user (root
), even when Rancher's restricted
policy is enforced on a project or at cluster level.
A new restricted-noroot
PSP was created to prevent pods from running as root
when this policy is enforced. This new policy was introduced, instead of patching the current provided restricted
policy, in order to avoid breaking users' workloads that are using the restricted
PSP and that might be running as a privileged user.
Note: Running containers as root
increases the risk of a compromised container being used by a malicious actor as an attack platform to further exploit the user's environment. It is a security best practice to avoid running containers as a privileged user and to limit its usage to workloads where it is strictly necessary.
Patches
Patched versions include release 2.6.4 and later versions. The existing restricted
PSP in Rancher 2.6.4 was not modified and still allows containers to run as a privileged user, as explained above. This fix was not backported to previous releases.
For Rancher 2.6.4 and later releases, users using the current restricted
PSP and that want to prevent containers from running as root
, are advised to migrate to the new restricted-noroot
policy. Before doing this migration, it is necessary to verify if affected workloads are currently running as a privileged user and modify them accordingly to the users' own environment to run as a non-privileged user. A redeployment of the affected workload is necessary in order for the new PSP to take effect.
Workarounds
For users running Rancher 2.6.3 and previous releases, which did not received this backport and that want to benefit from this fix, they can manually create a new restricted-noroot
PSP on their clusters through Rancher UI. The template of the restricted-noroot
policy provided in Rancher 2.6.4 is available in the source code. As a reminder, it is also necessary to manually verify and redeploy the running workload before enabling a more restricted pod security policy.
References
For instructions on how to configure pod security policies using Rancher, please refer to the documentation page. For more information on PSPs in Kubernetes, please refer to the Kubernetes documentation (permalink).
Important reminder: Pod security policies are considered deprecated since Kubernetes v1.21, and will be removed in Kubernetes v1.25. Consult Kubernetes' documentation (permalink) regarding how to migrate from PodSecurityPolicy to Kubernetes' built-in PodSecurity Admission Controller. For the list of supported Kubernetes versions in Rancher, please consult our support matrix.
For more information
If you have any questions or comments about this advisory:
Impact
The
restricted
pod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the upstreamrestricted
policy provided in Kubernetes, in which Rancher's PSP hasrunAsUser
set torunAsAny
, while upstream hasrunAsUser
set toMustRunAsNonRoot
. This allows containers to run as any user, including a privileged user (root
), even when Rancher'srestricted
policy is enforced on a project or at cluster level.A new
restricted-noroot
PSP was created to prevent pods from running asroot
when this policy is enforced. This new policy was introduced, instead of patching the current providedrestricted
policy, in order to avoid breaking users' workloads that are using therestricted
PSP and that might be running as a privileged user.Note: Running containers as
root
increases the risk of a compromised container being used by a malicious actor as an attack platform to further exploit the user's environment. It is a security best practice to avoid running containers as a privileged user and to limit its usage to workloads where it is strictly necessary.Patches
Patched versions include release 2.6.4 and later versions. The existing
restricted
PSP in Rancher 2.6.4 was not modified and still allows containers to run as a privileged user, as explained above. This fix was not backported to previous releases.For Rancher 2.6.4 and later releases, users using the current
restricted
PSP and that want to prevent containers from running asroot
, are advised to migrate to the newrestricted-noroot
policy. Before doing this migration, it is necessary to verify if affected workloads are currently running as a privileged user and modify them accordingly to the users' own environment to run as a non-privileged user. A redeployment of the affected workload is necessary in order for the new PSP to take effect.Workarounds
For users running Rancher 2.6.3 and previous releases, which did not received this backport and that want to benefit from this fix, they can manually create a new
restricted-noroot
PSP on their clusters through Rancher UI. The template of therestricted-noroot
policy provided in Rancher 2.6.4 is available in the source code. As a reminder, it is also necessary to manually verify and redeploy the running workload before enabling a more restricted pod security policy.References
For instructions on how to configure pod security policies using Rancher, please refer to the documentation page. For more information on PSPs in Kubernetes, please refer to the Kubernetes documentation (permalink).
Important reminder: Pod security policies are considered deprecated since Kubernetes v1.21, and will be removed in Kubernetes v1.25. Consult Kubernetes' documentation (permalink) regarding how to migrate from PodSecurityPolicy to Kubernetes' built-in PodSecurity Admission Controller. For the list of supported Kubernetes versions in Rancher, please consult our support matrix.
For more information
If you have any questions or comments about this advisory: